Latest Yiiframework Vulnerabilities

yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation
Yiiframework Yii2-authclient<2.2.15
The Oauth2 PKCE implementation is vulnerable
Yiiframework Yii2-authclient<2.2.15
Unsafe deserialization of user data in yiisoft/yii
Yiiframework Yii<1.1.29
** DISPUTED ** Yii 2 v2.0.45 was discovered to contain a cross-site scripting (XSS) vulnerability via the endpoint /books. NOTE: this is disputed by the vendor because the cve-2022-31454-8e8555c31fd3 ...
Yiiframework Yii=2.0.45
## Withdrawn Advisory This advisory has been withdrawn because the issue originates from a product built on Yii2, not the Yii2 Framework itself. This link is maintained to preserve external references...
Yiiframework Yii>=2.0.0<=2.0.47
`yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27.
Yiiframework Yii<1.1.27
yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator
Yiiframework Yii>=2.0.0<2.0.43
### Impact Remote code execution in case application calls `unserialize()` on user input containing specially crafted string. ### Patches 2.0.38 ### Workarounds Add the following to BatchQueryRes...
Yiiframework Yii<2.0.38
Yii 2.x through actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfi...
Yiiframework Yii>=2.0<=
Potential remote code execution in LUA context of the redis server via methods `yii\redis\ActiveRecord::findOne()` and `::findAll()`
Yiiframework Yii<2.0.15
Possibility of manipulated condition when unfiltered input is passed to `yii\elasticsearch\ActiveRecord::findOne()` and `::findAll()`
Yiiframework Yii>=2.0.0<2.0.15
Potential SQL injection in methods `yii\db\ActiveRecord::findOne()` and `::findAll()`
Yiiframework Yii>=2.0.0<2.0.15


SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203